A Tale of Two Emails: Business Email Compromise

Business Email Compromise (BEC) fraud is a growing threat for companies of all sizes and all sectors. Last year, almost 89% of companies experienced at least one email fraud attack.

It was the best of times, it was the worst of times

Let’s look at two examples of companies that were faced with email compromise fraud. One was prepared to take control and minimize damage from the compromise, and the other wasn’t. Learn from their mistakes and don’t let it happen to you. (Names have been changed to protect identity).

Exhibit A: Umbrella Corporation

When Umbrella Corporation received an alert that one of its users had a suspicious sign-in from an unrecognized device, their conditional access policy automatically blocked the sign in.

An Azure AD alert was triggered to indicate that the user’s credentials may have been compromised. Umbrella Corporation’s Office 365 environment is monitored by SWC’s Managed Defense. SWC Operations Center notified the user and initiated a password change, limiting the attacker from exploiting the password in other ways. Umbrella continued to monitor the exposed credentials with 24/7/365 security monitoring.

Exhibit B: Vandelay Industries

Now, when one of the users from Vandelay Industries fell for a phishing email, it didn’t go as smoothly.

Under normal circumstances the user was regularly getting MFA (multi-factor authentication) prompts and clicking the “approve” button on their phone became second nature. Until one day a malicious attacker got a hold of the user’s password, attempted to log in, and MFA prompt notification was sent to the user. The user approved it since they get hit with them all the time. While MFA is fantastic for adding extra layers of trust, it didn’t work in this instance of human error.

The attacker had free access to whatever they please, for days on end. It took almost four days to discover (but in some cases this could take weeks or even months) because no one was monitoring, hence no action could be taken to minimize damage.

After the compromise was remediated, Vandelay Industries contacted SWC to discover if PII (Personally Identifiable Information) was potentially compromised. There was so much data in that mailbox (15GB!) that it took a week for us to scan it all. We found there was PII data going back 5-6 years in the user’s mailbox – which made business impact from this breach on Vandelay more severe.

Vandelay Industries could have taken several different precautions to lower the risk of compromise – or at least minimize the damage from it.

Lowering Risk from BEC Attacks

Modern workplace tools need modern security strategies to protect against evolving threats to your data and people. Businesses may not be able to remain 100% free of BEC attempted attacks, but there are several things they can do to improve processes to ensure data exposure is minimized.

Secure Identity – use conditional access with device-based authentication to protect your environment and avoid MFA fatigue. These features are included in Microsoft 365 and EMS, with E5 editions adding risk based response automation. Many organizations already own these tools and just need to turn them on.